PhD Defence by Martin Fejrskov Andersen
04.07.2022 kl. 13.00 - 16.00
Detecting malware and cyber attacks using ISP data
Internet Service Providers can access their subscribers' IP traffic and various other data, such as information about the device type used, the approximate geographical location of a subscriber, and contact information for the subscriber. This data seems attractive to use for a number of use cases, such as malware and cyber-attack detection. However, as the data can also be used for much less honorable purposes, ISP data is subject to strict regulatory requirements in the European Union. In a collection of papers, this thesis expands the current state of the art by describing which data is technically and legally available to ISPs in the European Union, how the regulatory requirements on anonymization can be implemented, and by presenting a number of novel use cases for anonymized NetFlow and DNS data. Specifically, the thesis explores the impact of applying DNS-based blacklists at an ISP scale, estimates the prevalence of and reason for the use of 3rd party DNS resolvers, and describes a novel method to determine whether a 3rd party DNS resolver is malicious. Also, a botnet Command and Control scheme that uses format-preserving encryption of IP addresses to provide an alternative to existing Fast Flux techniques is proposed. The overall conclusion of the thesis is that the anonymization requirements reduce the applicability of using ISP data for cyber security purposes significantly, although such data can be valuable when more specific use cases that are primarily applicable in an ISP context are considered. While this conclusion is positive from a privacy point of view, it can still be debated whether the legislation provides the right balance between privacy and cyber security.
Professor Hans-Peter Schwefel, Aalborg University, Denmark (chairman)
Associate Professor Joao Gondim, University of Brasilia, Brazil
Professor Albert Cabellos, Universitat Politècnica de Catalunya, Spain
Professor Jens Myrup Pedersen, Aalborg University, Denmark
Per Olsen, Chief Security Officer, Telenor
Associate Professor Emmanouil Vasilomanolakis, Technical University of Denmark
Associate Professor Tatiana Kozlova Madsen, Aalborg University, Denmark
How to participate
The PhD defence will be carried out in hybrid format, meaning you can join on location or online.
Online via this link: Microsoft TEAMS
Video ID: 128 246 513 3
After the defence there will be a reception outside the auditorium.
Free of charge
Communication, Media and Information Technologies, Department of Electronic Systems
Aalborg University, Niels Jernes Vej 14, Auditorium 4-111